Credentials are intercepted at multiple locations, when they are typed or used by the victim:

Password from successful login to the infected server: Whenever someone logs in a system infected with Linux/Ebury, the sshd daemon will save the password and send it to the exfiltration server.

Any password login attempt to the infected server: Even if the attempt is unsuccessful, the username and password used will be sent to the operators. They will be formatted differently, however, allowing the operators to differentiate these invalid credentials from the valid ones.

Password on successful login from the infected server: When someone uses the ssh client on an infected server, Linux/Ebury will intercept the password and sent it to its exfiltration server.

Private key passphrase: When the ssh client on an infected server prompts the user for an private key passphrase, the passphrase will be sent to the remote exfiltration server.

Unencrypted private key: When a private key is used to authenticate to a remote server, the unencrypted version is intercepted by the malware. Unlike passwords, it will not send the key to the exfiltration server. Instead, it will store it memory and wait for the operators to fetch the key with the Xcat command.

Private keys added to the OpenSSH agent with ssh-add: The keys added to an OpenSSH agent are also intercepted by the malware. Both the unencrypted key itself and the passphrase typed by the user will be logged.

Whatever the credential type, Linux/Ebury will add all relevant information for the operators to be able to use it, like the username, the target IP address and its OpenSSH listening port.